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Abstract 

We present a construction of expander graphs obtained from Cay- 
ley graphs of narrow ray class groups, whose eigenvalue bounds follow 
from the Generalized Riemann Hypothesis. Our result implies that 
the Cayley graph of (Z/gZ)* with respect to small prime generators 
is an expander. As another application, we show that the graph of 
small prime degree isogenies between ordinary elliptic curves achieves 
non-negligible eigenvalue separation, and explain the relationship be- 
tween the expansion properties of these graphs and the security of the 
elliptic curve discrete logarithm problem. 

1 Introduction 

Expander graphs are widely studied in many areas of mathematics and the- 
oretical computer science, and such graphs are useful primarily because ran- 
dom walks along their edges quickly become uniformly distributed over their 
vertices. Several beautiful constructions of expanders have been based on 
deep tools from representation theory and arithmetic, for example Kazhdan's 
Property (T) [38] and the Ramanujan conjectures [35|l39] . 

The main contribution of this paper is a new, conditional construction 
of expanders based on the Generalized Riemann Hypothesis (GRH), which 



'Partially supported by NSERC Discovery Grant #341769-07 

tPartially supported by NSF grant DMS-0601009 and an Alfred P. Sloan Foundation 
Fellowship 



1 



arises naturally in the study of the elliptic curve discrete logarithm problem. 
This cryptographic connection is investigated in our parallel paper [23], where 
it is used to establish that the discrete logarithm problem has roughly uniform 
difficulty for equal sized curves. The present paper contains a generalization 
of the main theorem in that paper, along with explanations and applications 
of a more mathematical nature. 

We briefly review some notions from graph theory, including that of ex- 
pander graph from above. By an undirected graph V = (V, S) we mean a set 
of vertices V and (unoriented) edges £ connecting specified pairs of vertices. 
Suppose that the graph is finite and is furthermore k-regular, meaning that 
there are exactly k edges incident to each vertex. The adjacency operator A 
acts on functions on V by averaging them over neighbors: 

(Af)(x) = A*)- (1-1) 

x and y connected by an edge 

Since the graph is regular, the constant function t(x) = 1 is an eigenfunction 
of A with eigenvalue k, which is accordingly termed the trivial eigenvalue A tr i v 
of A. It is straightforward to see that the multiplicity of A tr iv is equal to the 
number of connected components of the graph, and that A tr iv is the largest 
eigenvalue of A in absolute value. An expander graph is a graph for which 
the nontrivial eigenvalues satisfy the bound 

A < At r i v (1 — 8) for some fixed constant 5 > 0. (1.2) 

If the nontrivial eigenvalues further satisfy the stronger bound 

|A| < At r i V {1-6), (1.3) 

then a standard lemma (e.g. Lemma T2.ip shows that random walks of length 
| log 2 1 V | are equidistributed in the sense that they land in arbitrary subsets 
of V with probability at least proportional to their size. This rapid mixing 
of the random walk is at the heart of most, if not nearly all, applications of 
expanders. 

A group G generated by a subset S = S^ 1 can be made into the vertices 
of a Cayley graph Cay(G, S) by defining edges from g to sg, for each s G S 
and g E G\j For finite abelian groups, the eigenfunctions of A are precisely 

1 Note that all graphs in this paper are undirected. We also allow for multiple edges by 
letting S be a multiset when necessary, such as in the statement of Theorem 11.11 
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the characters \ : G — > C*; indeed, the formula 



(Ax)(x) = ^2x(sx) = X x x(x) , where A x = J^x(s), (1.4) 



shows that the spectrum consists of character sums ranging over the gener- 
ating set. The trivial eigenvalue A tr i v = I S | of course comes from the trivial 
character x = 1, and inequality ( j 1 .31) is satisfied if the character sums for 
A x , x ^ 1) have enough cancellation. Abelian Cayley graphs are a restricted 
yet important type of graph, and their expansion properties have been well 
studied (e.g. [2],[36]). To be expanders, they cannot have bounded degree but 
must have at least Sl(log |C|) generators. 

The expander graphs produced by our construction are abelian Cayley 
graphs, and we give eigenvalue bounds for their character sums A x using 
GRH. Before stating the construction, we briefly recall some terminology. 
For any integral ideal m in a number field K, let J m denote the group of 
fractional ideals relatively prime to m (i.e. those whose factorization into 
prime ideals contains no divisor of m). Let P m denote the principal ideals 
generated by an element k e K* such that k = 1 (mod m) , and let P+ C P m 
denote those generated by such an element k which is furthermore totally 
positive (i.e. positive in all embeddings K R). The quotients I m /P m and 
I m /P£ are called, respectively, the ray and narrow ray class groups of K 
relative to m. 

Theorem 1.1. ("GRH Graphs"). Let K be a number field of degree n, m 
an integral ideal, and G the narrow ray class group of K relative to m. Let 
q = D ■ Nm, where D is the discriminant of K and Nxn denotes the norm 
of m. Consider the set {prime ideals p coprime to m | Np < x is prime}, 
and let S x denote the multiset consisting of its image and inverse in G (i.e., 
including multiplicities). Then assuming GRH for the characters of G, the 
graph T x = Cay(G, S x ) has 



'triv 




(1.5) 



while the nontrivial eigenvalues A obey the bound 



|A| = 0(nx l l 2 log(xg)) . 
In particular, if B > 2 and x > (\ogq) B , 



(1.6) 



A| = 0{{\^\ogK- n fl 2+1 l B ) . 



(1.7) 
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The implied constants in U.5\) and U.6]) are absolute, while the one in (17)) 
depends only on B and n. 



Remark 1.2. a) The Theorem immediately applies to quotients of narrow 
ray class groups, such as ray class groups themselves. This is because the 
spectrum of the quotient Cayley graph consists of eigenvalues for those char- 
acters which factor through the quotient. 

b) The parameter q should be thought of as large, in light of Minkowski's 
theorem that there are only a finite number of number fields with a given 
discriminant [321 P- 121]. 

c) The above bound on the spectral gap is worse than that for Ramanujan 
graphs [35], and thus abelian graphs are not optimal in this sense (see also 
[2j[36]). However, one gains explicit constructions that are simpler computa- 
tionally; additionally, there are situations where these graphs occur naturally 
and the expansion bounds are helpful, as our following examples show. 

From the abovementioned relationship between expander graphs and rapid 
mixing of random walks, we obtain the following application. 

Corollary 1.3. Fix B > 2 and n > 1, and assume the same hypotheses of 
the previous theorem, including the choice of x > (logq) B . Then there exists 
a positive constant C with the following property: for q sufficiently large, a 
random walk of length 

t > c Jg^lg! 

log log q 

from any starting vertex lands in any fixed subset S C G with probability at 
least 2 [£[■ 

Let us now illustrate the theorem with a few examples. The first ex- 
ample is the field K = Q, whose narrow ray class groups are of the form 
(Z/gZ)*, for q > 1. In this case the edges of the Cayley graph connect 
each vertex v G (Z/gZ)* to pv and p _1 v (mod q), for all primes p such that 
V < (logg) 2+<5 and p \ q. Starting from any v and taking random steps of 
this form results in a uniformly distributed random element of (Z/gZ)* in 
0((logg)/ log log g) steps. The character sum (ll.4p for A x here amounts to 
the sum 2 Re J2 P <(io g q)2+s x{p)i so bounds on A x yield statements about the 
distribution of small primes in residue classes modulo q. GRH, which is used 
in (II. 7ft . is a natural tool for such problems. It seems difficult to obtain 
an unconditional result along these lines, because the special case when x 
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is a quadratic character modulo q is related to the problem of estimating 
the smallest prime quadratic nonresidue modulo q. Finding such a prime is 
equivalent to obtaining any cancellation at all in the sum Yl p < x (~)i anc ^ even 
this problem seems to require a strong hypothesis such as GRH. However, 
it is possible to use the Large Sieve to prove unconditional results for typi- 
cal values of q, such as [TTt Theorem 3], which shows that ■^ 2L - goes to zero 
outside of a sparse subset of moduli q. 

The next example, when K is an imaginary quadratic number field, is 
related to elliptic curves over finite fields. Using the correspondence between 
ordinary elliptic curves and ideal classes in orders of imaginary quadratic 
number fields, we prove the following theorem. 

Definition 1.4. We say that two ordinary elliptic curves Ei,E 2 defined 
over F q have the same level if their rings of endomorphisms End(-Ej) are 
isomorphic. (In this paper, we follow the standard convention that End(E) 
refers to F g -endomorphisms.) 

Theorem 1.5. Consider the set Sn,q of ¥ q -isomorphism classes of ordinary 
elliptic curves defined over ¥ q having N points. Fi^ an E e SV,q an d let V 
be the set of all curves in S^, q having the same level as E. Form a graph on 
the set of vertices V by connecting curves E 1 and E 2 with an edge if there 
exists an isogeny of prime degree less than (log4g)' B between them, for some 
fixed B > 2. Then, assuming GRH, this graph is an expander graph in the 
sense that its nontrivial eigenvalues satisfy the bound ( [1. 7| ). 

Theorem [T75] has implications for the security of the elliptic curve discrete 
logarithm problem. Recall that the discrete logarithm problem (dlog) asks 
to recover the exponent a of a power g a of a known element g. Its presumed 
difficulty serves as the basis of several cryptosystems, for example the Diffie- 
Hellman key exchange. Though many difficult problems in computer science 
are only hard in rare instances, good cryptosystems typically must be based 
on problems which are almost always hard. We recall that the DLOG problem 
on a given group has random self-reducibility: that means given an algorithm 
A(g a ) = a which solves DLOG on, say, half of all input values y, we may easily 
find a random value of r such that A works on y' = g r y, and deduce that 
A(y) = A(y') — r. Therefore, if DLOG is hard for some values of y, it must 

2 We will frequently treat the elements of Sn, q as curves, though strictly speaking they 
are isomorphism classes of curves. This distinction does not affect Theorem 11.61 because 
isomorphisms between curves in Sat,? can be computed in time polynomial in logg. 
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be hard for almost all values. Though this result says nothing about the 
absolute difficulty of the problem, it is a comforting assurance regarding the 
relative difficulty of multiple instances of the problem. 

Elliptic curve cryptography [7,28,41] is based on the conjectured difficulty 
of DLOG problems within the group of points of an elliptic curve over a 
finite field. At present, cryptographers typically select elliptic curves in the 
following way: a large finite field F q is selected, and an elliptic curve E/F q is 
generated at random. Its order #E(F q ) is quickly computed [131115], and the 
curve is discarded unless the order has a large prime factor (because otherwise 
DLOG is much easier). It is also checked from the point count whether or 
not E is supersingular or has other weaknesses, and if it is then the curve 
is discardedjj The above practice efficiently yields elliptic curves thought to 
be suitable for cryptographic purposes. An obvious question is whether or 
not other considerations are important, i.e. whether the point count is the 
only factor influencing the difficulty of DLOG on an elliptic curve over a fixed 
finite field. 

In studying this question, the random self-reducibility fact from above 
does not apply, because it pertains only to a single curve, and says noth- 
ing about the comparative difficulty of DLOG between two different curves. 
However, we can instead use the fact that an efficiently computable isogeny 
provides a reduction of the DLOG problems between two curves. Further- 
more, a theorem of Tate [32] states that all curves of cardinality N defined 
over F q are isogenous, but unfortunately not all isogenies are efficiently com- 
putable, so the theorem does not immediately imply that all curves in S^q 
have equivalent DLOG problems. On the other hand, isogenies of low degree 
are efficiently computable, and the rapid mixing in Theorem 11.51 says that 
their random compositions become uniformly distributed over curves within 
each level in Sn^. This property allows us to establish that the difficulty of 
the elliptic curve DLOG problem is in a sense uniform over any given level. 
More precisely: 

Theorem 1.6. With the hypotheses of Theorem \1.5l assume there is an 
algorithm A which solves the discrete logarithm problem on a positive fraction 

3 Supersingular curves are thought to be cryptographically weaker, because of the ex- 
istence of subexponential attacks on their DLOG problems [40 . This is not to say that no 
subexponential attacks exist for ordinary curves; in fact, some are known to succeed on 
a very modest proportion of them [16|J47] , and of course other unknown ones may yet be 
discovered. The supersingular analog of Theorems 11.51 and 11.61 are given in |25[ Appendix]. 
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\i of the elliptic curves in a given level. There exists an absolute polynomial 
p(x) such that one can probabilistically solve the discrete logarithm problem 
on any curve in the same level with expected runtime ^p(logg) times the 
maximal runtime of A. 

In practice, the level restriction in Theorem 11.61 is actually irrelevant. 
Indeed, if two curves in Sn^ are not of the same level, then their levels must 
differ at either a small prime or a large primeE) In the small prime case, we 
can still obtain DLOG reductions using low degree isogenics (cf. Section [5]), 
and in the large prime case, no constructible examples of such pairs of curves 
are known. Several interesting theoretical questions remain concerning the 
large prime case and the true value of the isogeny degrees needed to achieve 
expansion. We describe some open problems in Section [71 

2 Expander Graphs 

In this section we recall a standard bound for the mixing time of a random 
walk on an expander graph, discuss the lack of nontrivial short cycles on 
the GRH graphs, and prove Theorem 11.11 and Corollary 11.31 We keep the 
notation and definitions of the introduction. 

Lemma 2.1. Let V be a finite k-regular graph for which the nontrivial eigen- 
values A of the adjacency matrix A are bounded by |A| < c, for some c < k. 
Let S be any subset of the vertices ofT, and v be any vertex in V. Then a 
random walk of any length at least log ^^ — starting from v will end in S 

with probability between ||^| and 

Of course the probability range can be significantly narrowed by lengthening 
the walk, as it turns out even by a slight amount. 

Proof. Letting xs and X{v} denote the characteristic functions of the sets 
S and {v}, respectively, the number of paths of length t which start at v 
and end in S is given by the L 2 -inner product (xs, A t X{v})- Let P denote 
the projection from L 2 (T) onto the orthogonal complement of the constant 

There is possibly an intermediate range, though its existence is somewhat fluid de- 
pending on hardware and software developments (see Section [77Tj) . 
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functions; the operator A preserves this space and its operator norm on it is 
bounded by c because of our eigenvalue assumption. Then 

(Xs,^XW> = j^*' + (Pxs^tPxM). (2.1) 

The latter term is bounded by 

|(P X s,^P Xw }| < ||P Xs || H^PxwII < <?\\Pxs\\ \\PX{v}\\ 

For t > log ^ogfc|/^ this is at most half the size of the main term fc*|5|/|r| 
from (12. 1 j) . as was to be shown. □ 

Next we come to the topic of girth, the length of the shortest closed cycle 
on the graph. Graphs with large girth are important in many applications, for 
example to the design of collision resistant hash functions and stream ciphers 
(see, for example, [T8 ll2"2"ll2~?] ) . The girth of a /c-regular graph cannot be larger 
than 21og fc _ 1 |T|. This inequality comes from counting the number of points 
b(r) in a ball of radius r in a fc-regular tree; a graph with girth 7 satisfies 
the inequality 6(7) < which gives an upper bound on 7. Random graphs 
tend to have small girth, but one can use probabilistic methods to show the 
existence of graphs having girth at least (1 + o(l)) log;,^ |T|, i.e. roughly half 
the optimal size. The LPS Ramanujan graphs have the largest known girths: 
(4/3 + o(l)) log A ._ 1 |T| p,[35]. It is an open question as to how large the girth 
can be. 

Abelian Cayley graphs cannot have large girth because they have many 
short cycles of the form xyx^ 1 y^ 1 . To rule out these, one can speak of the 
nonabelian girth, which is the shortest cycle not having steps both of the 
form x a and x~ b for a, b > and x G 5*. We remark that the graphs on 
(Z/gZ)* described just after Theorem 11.11 have 

nonabelian girth of T > (1 + o(l)) log fe _ 1 |T| . (2.3) 

Indeed, a cycle amounts to two products of small primes which are equal 
modulo q; by unique factorization, at least one of these products must be 
larger than q, which gives a lower bound on the number of factors. This 
argument also gives the same lower bound for the odd girth of V (i.e. the 
shortest closed cycle of odd length), which again is relatively large. It should 



8 



be noted, however, that this is not optimal; in fact there are code-based 
constructions [T][2] which have nonabelian girth at least (2 + o(l)) log fe _ 1 
The reason for mentioning this, though, is that explicit examples of graphs 
with large nonabelian girth are important for cryptographic applications. 
We conclude this section with the proofs of Theorem 1 1 . 1 1 and Corollary II .31 

Proof of Theorem We explained in (11.41) and in the remarks following it 
that (11.51) and (II. 6p follow from the following estimates for sums of characters 
X of G: 

£ (X(P) + xiP)- 1 ) = 2 Re 

Np<x prime Np < x prime (2.4) 

= 2rli(x) + O (nx 1 / 2 log(xg)) , 

with an absolute implied constant. Here r = 1 if % is the trivial character, 
and otherwise. Of course, % may be viewed as a Hecke Grossencharacter 
on I m which is trivial on P+. Hecke proved that its L-function 

L(s, X ) = £ x(a)(Na)- s = J] (1 - *(p) WT 1 

a integral ideal p prime ideal 

(2.5) 

analytically continues to a holomorphic function on C — {1} of order 1, with 
at most a simple pole at s = 1 which occurs only when x is the trivial 
character. Furthermore, he also established a standard functional equation 
for its completed L-function, which is a product of L(s,x), T-factors of the 
form r(§), r( 5 ±i), and T(s), and a power Q s/2 of some integer Q > [231 
p. 211]. The value of Q varies with different characters, but is always bounded 
above by q = D ■ Nm. The Dirichlet series coefficients of L(s,x), like those 
of any Artin L-function, satisfy the Ramanujan-Petersson conjecture. 

Using these analytic properties, along with the assumption of GRH, one 
can derive the following standard estimate (which is found in [24, p. 114]): 

£ X(p) log(iVp) = rx + O (nx 1/2 log(x) \og(xQ)) (2.6) 

Np < x prime 

for primitive characters Xi again with an absolute implied constant. If x is 
imprimitive, one must also include terms for prime ideals p dividing m. There 
are at most O(logiVm) = O(logg) of these, so both their contribution and 
the existing error term in (12.61) can be safely absorbed into the enlargened 
error term 0{nx l l 2 log(a;) \og{xq)). This variant of (12.61) in turn implies (12.41) 
by a simple application of partial summation. □ 
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Proof of Corollary \1.3[ The proof follows from Lemma I2TT1 once we have ver- 
ified that log - is bounded below by a constant (depending on B and n) 
times log log q once q is sufficiently large. Indeed, in our setting the degree is 
k = Atriv, and c may be taken to be the bound in (11.71) . For q sufficiently large, 
log - is indeed bounded below by a constant times log A tr i v ^ B log logg. □ 

Remark 2.2. The main point of the Corollary is to give examples of rapid 
mixing over large graphs. However, for a finite number of cases when q is 
small, the graph T x may actually be disconnected. In addition, the equidis- 
tribution is not as interesting in situations when the graph T x has relatively 
few vertices, i.e. when the narrow ray class number of m is small. This can 
be computed explicitly as 

\r\ ir l 9- h (K)\(Q K /my\ . 7 , 

11 " 1x1 ~ [U(K):U m (K)]> { ] 

where T\ is the number of real embeddings of K, h(K) its class number, Ok 
its ring of integers, U(K) its unit group, and U m (K) C U(K) its subgroup 
of totally positive units which are congruent to 1 (mod m) [8, Prop. 3.2.4]. 
For a fixed degree n, the class number h(K) is £ (\D\ 1 ^ 2+£ ) for any e > 0, 
and so \G\ above is bounded by O(q). 



3 Elliptic curves 

In this section we explain the connection between the GRH graphs and el- 
liptic curves, and prove Theorem 11.51 For ease of presentation, we begin 
first with the case of elliptic curves defined over complex numbers, and then 
later explain how our results over complex numbers imply the corresponding 
results over finite fields. 

Let Od be an imaginary quadratic order of discriminant D < 0. Denote 
by E\\(Od) the set of all isomorphism classes of elliptic curves E over C 
having Od as their full ring of complex multiplication (i.e. having End (22) = 
On). It is well known that isomorphism classes of elliptic curves over C 
correspond bijectively with homothety classes of complex lattices [151 1.1]; 
accordingly, we will write E\ throughout for the elliptic curve corresponding 
to a complex lattice A C C. Moreover, fixing an embedding Od C C, 
one can show that ideal classes a C Od give rise to precisely those lattices 
representing elliptic curves in EU(O c ) [9, 10.20], and that the map an E a 
induces a bijection between the ideal class group C\(Od) of Od and E11((9d). 
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The above paragraph thus explains the correspondence between ideal 
class groups and elliptic curves over C. The following proposition describes 
how this correspondence behaves with respect to isogenics: 

Proposition 3.1. 

1. There is a well defined simply transitive action of C\(Od) on E\\(Od), 
given by the formula 

a* E A := E a -i A , 
valid for any nonzero fractional ideal a C Od- 

2. If a is an invertible ideal of On, one has A C a _1 A, and this inclusion 
induces an isogeny E A — > a * E\ of degree equal to the norm AT (a) of 
the ideal a. 

3. Up to isomorphism, every isogeny between two elliptic curves E\,Ei G 
EU(Od) arises in the above manner. 

Proof. Items [I] and [2] are proved in [l6l II. 1] (for the case of Od maximal) 
and [31] (for the general case). 

To prove item [21 let <fi : E\ — > E% be an isogeny and choose fractional 
ideals a C b of O d such that E a £ E x and E b = £i/ker(0) S E 2 . Since 
a C b, there exists an integral ideal c C such that be = a, whereupon the 
morphism ip: E a —>■ c * E a yields an isogeny which has the same kernel as </>, 
and hence must be isomorphic to <fi. □ 

We now state and prove an analogue of Theorem 11.51 over the complex 
numbers. 

Theorem 3.2. Let V be the graph whose vertices are elements of E11((9d) 
and whose edges are isogenics of prime degree less than some fixed bound 
M > (log \ D\) B , for some absolute constant B > 2. Then, assuming GRH, 
the graph Y is an expander graph satisfying the bound fli. 7| ). 

Proof. We have already seen that the elements of EU(Od) are in bijection 
with the elements of the group C\(Od) [9, 10.20], and that the action of 
C\(Od) on EU(Od) defined in Proposition 13.11 coincides exactly with the 
translation action of C\(Od) on itself under this bijection. Moreover, iso- 
genies of prime degree less than M correspond to integral ideals of prime 
norm less than M, and the inverses (i.e. complex conjugates) of these ideals 
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have the same prime norm and thus also yield such isogenies. Hence, the 
graph T is isomorphic to the Cayley graph of C1((9d) under the generating 
set consisting of ideals of prime norm less than M > (log |-D|) B . 

Next we relate this graph to one covered by Theorem 11.11 Let K = 
Q(V r D) and m the principal ideal generated by the conductor c of the dis- 
criminant D (i.e. the largest integer whose square divides D). Then the class 
group CI(Od) is a quotient of the narrow ray class group of K relative to 
m [HI Prop. 7.22], and Theorem 11.11 applies directly to Y and equation (11.71) 
with x = M gives the desired bound. □ 

In order to prove Theorem 11.51 from Theorem 13.21 we require the following 
classical result, known as Deuring's lifting theorem [TO] : 

Theorem 3.3. 

1. Let E be an elliptic curve defined over ¥ q , and let <fi be a nontrivial 
endomorphism of E. There exists an elliptic curve E defined over a 
number field L, a prime ideal p of L, and an endomorphism <fi of E 
such that E and reduce to E and modulo p. 

2. When E is ordinary, the mod p reduction map induces an isomorphism 
End(E) = End(E). 

Proof of Theorem \l.3c Since the curves in Theorem 11.51 are ordinary, there 
exists an imaginary quadratic order On such that End(£") = Ob- Observe 
that (log4g) B > (log|D|) s , since D = t 2 — 4q where the trace t satisfies 
the Hasse bound \t\ < 2^fq. Hence (log4g) B satisfies the condition for M in 
Theorem 13.21 

We will now show that the graph V in Theorem 13.21 is isomorphic to 
the graph defined in Theorem 11.51 The elliptic curves in Ell((9£>) are all 
defined over the ring class field H of Or,. Identification of the vertices is 
accomplished by choosing a prime p C H lying over the characteristic p of ¥ q , 
and reducing curves in E\\(Od) to obtain curves in Sn^. Theorem 13.31 shows 
that this identification is surjective. To show that it is injective, consider two 
non-isomorphic curves E a and Et, in EU(Od), meaning that a and b lie in 
different ideal classes in C\{Od). By the Chebotarev density theorem, there 
exists an unramified prime ideal c belonging to the same ideal class as ab^ 1 ; 
note in particular that c is not principal. By Proposition 13.11 the ideal c 
induces an isogeny cf> between E a and E b having degree equal to N(c). If the 
reductions E a and E b of E a and E b modulo p were to be somehow isomorphic, 
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then would represent an endomorphism of E a , of degree N(c). However, we 
know the endomorphism ring of E a is equal to Or,-, and no element of On has 
norm equal to N(c) (this is because Q(\/~D) is an imaginary quadratic number 
field). Thus the endomorphism ring On cannot contain any endomorphism 
of degree equal to N(c). 

Likewise, for each prime i < (log4g) B , the reduction map modulo p 
sends every isogeny of degree t in characteristic to an isogeny of degree i 
in characteristic p. All isogenies in characteristic p are obtained in this way, 
since isogenies of degree i are given by the roots of the modular polynomial 
$>e(x, y), and this polynomial does not have more roots over the algebraic 
closure in characteristic p than in characteristic 0. □ 

4 Relationship with discrete logarithms 

Given a generator g of a cyclic group G of order n, the discrete logarithm of 
an element h of G is defined to be the residue class x of integers mod n such 
that g x = h. The elliptic curve discrete logarithm problem is the problem of 
computing discrete logarithms when G is the group of points on an elliptic 
curve defined over a finite field ¥ q . Determining the difficulty of this problem 
is important because much of elliptic curve cryptography is based, at least 
conjecturally, on the infeasibility of computing discrete logarithms on elliptic 
curves defined over a finite field. 

Galbraith [15] has observed that given an efficiently computable isogeny 
0: E —>■ E', one can compute discrete logarithms on E by computing discrete 
logarithms on E' . The procedure is as follows: given P,Q e E, compute 4>{P) 
and 4>{Q), and determine the discrete logarithm x of 4>{Q) on E' with respect 
to the generator 4>{P)- The equation x-<p(P) = 4>{Q) determines the solution 
for x modulo the kernel of (f). When <fr is furthermore a low-degree isogeny, 
it is both efficiently computable and has small kernel (which itself can be 
efficiently enumerated). Such an isogeny provides a reduction between the 
discrete logarithm problems on E and E', in time polynomial in logg and 
the degree. Moreover, a theorem of Tate [49J states that two elliptic curves 
E and E' defined over ¥ q have the same number of points if and only if they 
are isogenous. Tate's theorem guarantees the existence of an isogeny defined 
over F q between curves in their equivalence classes, which computationally 
amounts to one between the curves themselves (see footnote [2]) . However, 
this isogeny usually is difficult to compute and has enormous degree. 
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We now use the above observation to give a proof of Theorem 11.61 Our 
proof consists of showing that, for curves of the same level, a composition of 
low-degree isogenics between them exists. Indeed, though the degree of such 
a composition may be very large, it can be computed efficiently; furthermore, 
it gives efficient reductions between all curves it connects. 

Proof of Theorem \l.Oc Returning to the isogeny graph of Theorem 11.51 let 
S denote the subset consisting of the /i-fraction of elliptic curves to which 
the algorithm A applies. Let E be any curve of the same level as the curves 
in S. Because of the effective upper bounds on class numbers, one has that 
log|Sjv,g| < c 'l°gg, for some d > 0. Construct a random walk of length 
Cc'(logg)/ log log g starting at E, where C is the constant in Corollary 11.31 
Let denote the isogeny equal to the composition of the isogenies represented 
by the edges comprising the random walk. Then can be evaluated in 
polynomial time, and hence the discrete logarithm problem on E can be 
solved efficiently by querying A, as long as the random walk above lands in 
S. By Corollary 11.31 the probability that the random walk lands in S is at 
least j, so by repeating this process until the walk lands in S, we can solve 
discrete logarithms on E in probabilistic polynomial time using an expected 
number of queries to A bounded by -. □ 

5 Reductions between different levels 

It is natural to ask whether the equivalence of discrete logarithms holds for 
elliptic curves in different levels. We begin by observing that the CM field 
End (22) <8> Q is the same for all curves E e Sjv,g regardless of level. Moreover, 
two curves E, E' have the same level if and only if the conductors of their 
endomorphism rings in End(E) ®Q are equal. It is thus natural to define the 
conductor gap to be the value of the largest prime factor at which the prime 
factorizations of the conductors of End(22) and End(E') differ; in addition, for 
a single curve E we define the conductor gap of E to be the maximal possible 
conductor gap over all possible pairs of isogenous E,E'. The conductor gap 
provides a rough measurement of how much the levels of E and E' differ. 

Given any curve E whose endomorphism ring has conductor c, it is possi- 
ble to compute a curve E' with conductor c£ together with an isogeny E —> E' 
of degree I in time 0(£ 3 ); the reverse, starting from E' of conductor cl and 
ending up with E of conductor c, is also possible in the same amount of time 
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(PHIEISI 30J). Consider a union of any number of levels which collectively 
have conductor gap bounded polynomially in logg. Though the individual 
sizes of each level may be difficult to compute, formula (12.71) or (91 Cor. 7.28] 
allows one to compute their relative sizes efficiently By weighing these sizes 
it is possible to select a level at random with probability proportional to 
its total size amongst this union. This level can be reached by appropriate 
low degree isogenics. Thus it is possible to reach a random curve through 
walks of low degree isogenies, and it follows that Theorem 11.61 holds for the 
union of any number of levels which collectively have conductor gap bounded 
polynomially in logg. 

Large conductor gaps do pose an obstacle in the statement of Theo- 
rem 11.61 but they rarely arise in practice. Indeed, every curve E G Sjv, g 
has at least the endomorphisms Z C End(-E) and n q G End(E), with 7r q 
denoting the Frobenius endomorphism. The discriminant of the quadratic 
order Z[TT q ] is equal to t 2 — Aq where t = q + 1 — N, and the conductor of any 
curve in SV.g must be an integer c satisfying c 2 | (t 2 — Aq). Thus, if t 2 — Aq is 
square free, then all curves in S^^ are of the same level, and in this case the 
level restriction in Theorem II. 61 is vacuous. More generally, as long as t 2 — Aq 
has no large repeated prime factors, the statement of Theorem 11.61 holds for 
all of 5jv,g, by the previous paragraph. 

We can analyze the expected frequency of large conductor gaps as fol- 
lows. The Hasse-Weil bound on t implies — Aq < t 2 — Aq < 0. A random 
integer within this interval has probability 1 — n^/k^ ~ P 2 ) °f admitting 
a repeated prime factor p > (3. Since this probability is bounded above by 
0(1/ j3), we expect as a heuristic that, for any positive (3 < p, random choices 
of (TV, q) will admit repeated prime factors exceeding (3 with probability 1/ '/3. 
In fact, [371 Theorem 1] rigorously proves the probability estimate ^ og ^ for 
(3 p 1 / 6 , where q = p is odd. Therefore, in most cases, conductor gaps be- 
tween elliptic curves are quite small and we can ignore the effects of differing 
endomorphism rings in our discrete logarithm comparisons. For example, an 
investigation of nine randomly generated curves listed in international stan- 
dards documents reveals that all of them satisfy cm a < 3 (cf. Section [H]). 
In fact, a somewhat surprising observation is that there is currently no effi- 
cient algorithm to construct pairs of elliptic curves with conductor gaps that 
are not small, even though such pairs are known to exist in abundance (cf. 
Section [7J. 
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6 Government standards for curves 



In the previous section we showed that all curves in an isogeny class have 
identical security on average whenever the conductor gap is small. However, 
determining the conductor gap of a curve requires factoring a large integer 
and hence is a nontrivial computation. In this section we provide the com- 
putation of the conductor gap for a family of randomly selected curves which 
appear as part of a US government standard. 

In 2000 the National Institute of Standards and Technology (NIST), a 
branch of the United States Department of Commerce, introduced a fam- 
ily of elliptic curves as standards for cryptographic applications [13]. The 
selection of these curves was the outcome of several years of testing. The 
NIST curves are generated by the values of secure hash functions applied to 
publicly-revealed seeds, making it plausible that they were not excessively 
manipulated before their public release. However, the user cannot be totally 
confident that there is not a backdoor or weakness in the published curve. 

Though it is hard to imagine arguing directly that discrete logarithms on a 
specific elliptic curve do not have good attacks, our results can be used to give 
some assurance that the NIST curves are not weaker than comparable elliptic 
curves. Namely, Theorem [L6] and the comment immediately following it show 
that the discrete logarithm problem has roughly equivalent difficulty as one 
ranges over curves defined over the same field, and whose endomorphism 
rings have small conductor gap. 

Some of the NIST curves are Koblitz curves [29], which are not expected 
to have small conductor gaps. However, for the remaining NIST curves, some 
lengthy computations showed that the conductor gap is very small: all but 
one curve had a conductor gap of 1, and the only exception had a conductor 
gap of 3. That means that in the former cases, the isogeny class consists 
of only one level, and Theorem 11.61 provides a full equivalence of discrete 
logarithms. Only in the exceptional case with conductor gap 3 must one 
navigate between levels (the topic of Section [5]); this can easily be done by 
constructing a degree 3 isogeny between them. Therefore we may conclude 
that these curves have typical difficulty among all elliptic curves defined over 
the same field and having the same number of points. 

As an example, consider the NIST curve B-571, which is given by the 
Weierstrass equation y 2 + xy = x 3 + x 2 + b over the field F 2 57i . Here b is an 
element of F 2 57i which is cumbersome to describe but can be found on p. 47 
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of [33]. It has discriminant 

d = -210092063841005638410400838462812964562253124135523060955333\ 
767330638498791801056156659734237518468659692798673383993911\ 
7805779057685920700296348 18955 1 1008772786625592941 143 

(6.1) 

and prime factorization 

= - 137 * 1502689 * 5608493523058319 * 3563521804312876303 

* 46393104672338327566438581332776443577 

* 1 10062885101747737373848971769992595641 1395060089467152067605\ 
28637300688225399301632484625559 

(we have written out the decimal expansion of d over several lines owing to its 
length). One can determine the conductor gap knowing this factorization: it 
is the largest square factor, which in this example is 1. 

We wish to mention that finding the above factorization was far from 
trivial, taking about 5 days on a dedicated cluster in the Netherlands which 
utilized specialized factoring software. Although determining the conductor 
gap is useful in assuring that a given elliptic curve is not cryptographically 
weak, clearly this is not a test which the average user can perform. It may 
be good practice for standards bodies to publish the factorization of the 
discriminants along with their recommended curves so that users have this 
information. 

7 Open problems 

In this section we address two shortcomings of Theorem 11.61 The first is 
that the Theorem, as stated, applies only to individual levels of curves. As 
noted just after its statement and further in Sections \5\ and El curves whose 
levels differ by a ratio composed of small primes can be bridged by random 
isogenies; the issue is when the conductor gap has a large prime factor. 
The second is the strong analytic assumption of the Generalized Riemann 
Hypothesis. We conclude by discussing some related cryptographic problems. 
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7.1 Large conductor gaps 



The equivalence result of Theorem 11.61 is incomplete in the sense that it 
does not apply to curves having a large conductor gap. Pairs of such curves 
certainly exist, but no efficient method is known for finding them, and indeed 
no explicit example is known at the present time. A curve chosen at random 
will have conductor greater than I with probability heuristically equal to 
l/£ (see Section [5]). As we mentioned in Section [5j it is possible to produce 
an explicit isogeny between two curves with conductor gap I in time 0(£ 3 ), 
which for large i is far slower than solving discrete logarithms themselves. 
Additionally, it was recently shown in [T2] how to create special pairs of 
curves with conductor gap i in time 0(£ 2 ), without finding an explicit isogeny 
between them. All of these methods are too slow for large values of £, but 
leave an intermediate range of conductor gaps which presently cannot bridged 
by computable isogenics. 

The conductor gap question is especially pertinent for certain special 
classes of curves in cryptography such as pairing friendly curves (see |14j). 
All constructible examples of such curves are presently restricted to small 
discriminants, with the exception of certain families of curves having con- 
ductor gaps which fall within the abovementioned intermediate range [6]; 
note, however, that these conductor gaps are still small enough that im- 
provements such as Moore's law affect the boundaries of this range. There is 
some concern (although no proof) that discrete logarithms on such curves are 
weaker than on general pairing friendly curves. Achieving large conductor 
gaps for pairing friendly curves would help alleviate this concern, since our 
work then implies that pairing friendly curves with large discriminant are 
provably as secure as random pairing friendly curves. 

7.2 The assumption of GRH 

The theorems in this paper all assume the Generalized Riemann Hypothesis, 
which is used to obtain the error estimate in (12.61) . Lighter analytic as- 
sumptions still imply nontrivial error estimates; for example the Generalized 
Lindelof Hypothesis instead implies a bound of £: k(x 1 ^ 2+£ Q £ ) for any e > 
[21]. This corresponds to a subexponential time algorithm in Theorem 11.61 
as opposed to a polynomial time one. 

An unconditional proof of expansion seems out of reach at present. In 
the introduction it was explained why expansion bounds for A x imply bounds 
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on the least quadratic nonresidue, and thus at present require an analytic 
assumption. The recent preprint [33J considers cancellation in the sums A x 
defined in ( 11.41) for other characters. 

Intriguingly, it has been widely speculated that the GRH implication of 
B > 2 in Theorem II. II is not sharp, and that B > 1 is in fact expected. This 
feature dates back to the suggestion of Littlewood that the Euler product 
for L(l,x) could be approximated by the partial Euler product over primes 
smaller than (\ogQ) B , for any B > 1. This approximation is consistent 
with the best known constructions of lower bounds for the error terms in the 
sums ( 12.61) . and for related problems such as the least nonresidue problem 
PSHUlEll. Recent work of [211 111 ED] su PP orts the validity of the wider 
range B > 1. This bound is also sharp from the point of view of the Alon- 
Roichman Theorem [2], which asserts that expanders must have at least 
logarithmic degree in the size of the graph. 

Finally, the constants in (12.61) are effective and numerical values for them 
have been obtained in [3111] ■ 

7.3 Generalizations to other cryptographic problems 

The elliptic curve discrete logarithm problem can be generalized to Jacobians 
of hyperelliptic curves or other curves of higher genus, and recently there has 
been some progress in obtaining efficiently computable isogenies between 
such abelian varieties [18]. At present, not enough such isogenies are known 
to enable any statement about reducibility of discrete logarithms between 
such Jacobians, but further developments could likely yield new results in 
this area. 

In a different vein, one can consider alternative cryptographic problems 
such as the Diffie-Hellman problem instead of the discrete logarithm problem. 
For example, the recent paper [26J shows that, for curves over a prime field, 
computing the least significant bit of a Diffie-Hellman secret with greater 
than 50% probability over a non-negligible fraction of curves is almost always 
equivalent to solving the full Diffie-Hellman problem itself (assuming GRH). 
The proof relies heavily on the rapid mixing properties of isogeny graphs for 
ordinary elliptic curves. 
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